Professional Documents
Culture Documents
Encrypting File System (EFS)
Encrypting File System (EFS)
Encrypting File System (EFS)
(EFS)
Implementing Encrypting File System
Introduction to EFS
Implementing EFS in a Stand-Alone Microsoft
Windows Environment
Planning and Implementing EFS in a Domain Environment
Implementing EFS File Sharing
Introduction to EFS
What Is EFS?
How EFS Works
EFS Limitations
What Is EFS?
EFS:
Provides encryption for files on NTFS volumes
Ensures that sensitive or confidential data is more secure
Uses a unique public/private key pair system
When a file is encrypted for the first time, EFS looks for
1 an EFS certificate in the local certificate store
To disable EFS:
Modify the local security policy
Open the GPO that you want to edit. You can use Active
Directory Users and Computers or the GPMC to edit the
GPO.
In the Group Policy Object Editor, expand Computer
Configuration, expand Windows Settings, expand Security
Settings, expand Public Key Policies, and then click
Encrypting File System.
Right-click Encrypting File System, and then click
Properties.
Uncheck Allow users to encrypt files using Encrypting File
System (EFS) check box, and then click OK.
How to disable EFS by modifying Registry
File sharing
Accomplished through delegation
The remote server must be trusted for delegation in Active
Directory if users are going to store encrypted files on it
Move
= Copy
=
File
File Sharing
Sharing on
on Remote
Remote Servers
Servers
Copy
=
Practice: Implementing EFS File Sharing
The files to be encrypted must be available to the user through a network share.
Normal share-level security applies.
The user must have Write or Modify permissions to encrypt or decrypt a file.
The user must have either a local profile on the computer where EFS operations
will occur or a roaming profile. If the user does not have a local profile on the
remote computer or a roaming profile, EFS creates a local profile for the user on
the remote computer.
To encrypt a file, the user must have a valid EFS certificate. The certificate and
keys are stored in the user’s profile on the remote computer or in the user’s
roaming profile if available
To decrypt a file, the user’s profile must contain the private key associated with
the public key used to encrypt the file encryption key (FEK).
EFS must impersonate the user to obtain access to the necessary public or
private key.
The computer must be a domain member in a domain that uses Kerberos
authentication because impersonation relies on Kerberos authentication and
delegation.
The computer must be trusted for delegation.
The user must be logged on with a domain account that can be delegated.
Lab: Implementing Encrypting File System